We are deep in October – the security awareness month – and everybody is encouraged to take an extra step in securing their data, safeguarding themselves from digital threats, and contributing to stronger corporate security. With businesses and organisations continuing to set up remote work arrangements, cyber attackers are becoming more persistent and cunning. With each passing day, there seems to be a new scheme or attack strategy, leaving individuals and companies more vulnerable and unprotected. How can an organisation act to protect its assets and improve the cybersecurity level efficiently? First and foremost, a strategic approach to cybersecurity management can significantly lower the possibility of getting hacked and the costs associated with cyber-attacks. In this blog post, we will discuss cybersecurity in terms of security awareness, cloud and IoT technologies, supply chain-induced security issues, and the umbrella concept of cyber resilience.
Cyber Resilience
Let’s start with the umbrella. What is cyber resilience? For years, we have been talking about cybersecurity. However, in recent years, cyber resilience has emerged as a term that covers more than “just” security. The idea behind resilience is to prove that you are not only striving for the highest possible level of security – since 100 % security is by no means achievable – but capable of surviving and recovering if (or when) you get hacked. Resilience is about not shutting down the services or closing the business due to a successful cyber-attack. It is about growing stronger and learning from experience to block the next attack attempt more effectively.
Cyber resilience does not come easy. It requires a high level of user awareness, support from management and skilled engineers who can make the most out of available security solutions. It often requires support from different service providers who can offer consulting and services that help improve the overall security picture.
Where should you start building cyber resilience?
The starting point depends on the maturity of your cybersecurity management. If you are an enterprise with a long tradition of internal IT and you have a dedicated security team, you have probably already optimised the technological part of cybersecurity management; in this case, it is a good idea to enhance user awareness training and thus minimise the possibility of a successful social engineering attack.
If you are a start-up with only a few users and no internal IT, there is little chance you have a large budget for implementing security devices. Hence, promote user awareness activities, which include regular training in the form of dedicated materials and simulations of phishing attacks. Educated users can build a real human firewall and block sophisticated cyber-attack attempts.
How about organisations that are short on security devices, have understaffed IT or security team, and have many users? The best idea in this case would probably be to fix the technological part first. Why? Many users mean a more protracted process of building a security-aware community. Therefore, an investment in a reliable security solution would significantly improve the security of the internal network. At the same time, start working on security awareness, introducing phishing simulations, and training sessions.
It is not just “our” cybersecurity – it is the supply chain security
There were times when you put a firewall on the perimeter to control the traffic entering the network, and you could have peace of mind. This era is long gone. Now you have several security devices, possibly a security operations centre keeping an eye on the traffic 24/7, and you run pentests, maybe even do Red Teaming exercises. However, it seems it is still not enough. Why not?
Because in 2023, cybersecurity is not only a matter of one organisation but of all organisations linked in a network of external operators and IoT devices. Consequently, attackers have gained a much larger attack surface with potentially exploitable vulnerabilities. Furthermore, cybercriminals are developing new and more sophisticated attack techniques that are difficult to recognise and block.
As new European regulation NIS2 suggests, monitoring third-party security posture is an efficient way to avoid supply-chain attacks. Dedicated tools enable you to keep an eye on the external network of your suppliers and react if their scorecard drops. You can also use these tools in the selection process when choosing between two or more suppliers. If their scorecard is good, you can be at least to some extent reassured that your data will be safe and no backdoor will be left open on their side.
Transparency in business relationships helps improve overall cybersecurity
When speaking of supply chains and establishing connections between companies, transparency is an important aspect to consider. Two companies connected via a VPN or shared storage in the cloud should share their data and asset protection policy, disclose possible risks so the other party can analyse them in the context of their organisation, and respect mutual confidentiality, which should also be contractually arranged. Changes to security policies that might affect the other party should be clearly communicated, and the companies should inform each other in case of security incidents.
Security breaches might be hard to confess, but disclosing such information to the parties involved helps prevent third or fourth parties from further security attacks. A circle of trust should be established so that organisations can deliver security-related information to those concerned while preserving the confidentiality and integrity of the affected company.
Security awareness as part of organisational culture
Here comes into play the concept of security awareness. Being aware of potential security issues does not only mean not clicking on a phishing link but also not telling your colleague from another department that the company you work with has been breached. A security-aware user knows which information is sensitive, what is okay to say and what is not, and who is entitled to read an email or a document left on the desk and who is not.
Therefore, building security awareness includes training with phishing simulations and regular support materials covering not only phishing but also other aspects associated with social engineering, such as document handling, tailgating, communication, and so on. Organisations offering their employees opportunities to build their cybersecurity skills incorporate cybersecurity into their values, becoming a part of organisational culture.
To conclude, risk management protocols, transparency, and cyber resilience measures are crucial for mitigating potential cyber-attacks. The goal of each organisation should be to become not only cyber-secure but cyber-resilient. Furthermore, you should engage all your resources to respond adequately to a cyber-attack so that the company can overcome the attack, learn from experience, and grow stronger.